Hacking Exposed Mobile: Security Secrets & Solutions

Posted on by Ben Rothke

Little did anyone know that when the first Hacking Exposed books came out over 15 years ago, that it would launch a set of sequels on topics from Windows, Linux, web development, to virtualization and cloud computing, and much more.  It was a series that launched a generation of script kiddies, in addition to security experts.


In 2013, the newest edition is Hacking Exposed Mobile Security Secrets & Solutions.  In this edition, authors Neil Bergman, Mike Stanfield, Jason Rouse & Joel Scambray provide an extremely detailed 

overview of the security and privacy issues around mobile devices.  The authors have decades of experience in the various mobile topics and bring that to every chapter.

The power of mobile devices can be understood by the fact that this book came out in July 2013, and just last week, Steve Ballmer announced that he will step down as Microsoft CEO.  While mobile has spelled the doom to Ballmer’s career and Microsoft’s bottom line, mobile has the Apple brand relevant again, and extremely dominant.  More of a concern is that mobile is the new avenue of security attacks for a new generation of attackers. 

The book provides a great overview of the new threats created by mobile devices.  Like the other books in the series, it provides an overview of the issues, shows how attackers will use vulnerabilities to compromise and exploit mobile devices, in addition to showing you how to secure your mobile devices and enterprise mobile platforms against these threats.

One of difference between this book and other Hacking Exposed titles, especially the Windows editions, is that this has a dearth of script kiddie tools.  This is due to the fact that such tools don’t exist so much for the mobile platforms. 

The 9 chapters in the book provide a comprehensive and meticulous synopsis of all of the core areas around security and privacy concerns about mobile computing.

The first two chapters provide a thorough analysis of the mobile risk ecosystem and how the cellular networks operate. 

One of the major risks detailed in chapter 1 is that of physical risks.  When data resides in physical data centers, a company can have some semblance of assurance of security given the data has multiple layers of physical controls in an enterprise data center or colocation.  The authors note that physical access to mobile devices is difficult to defend against for very long, and the entire phenomenon of rooting and jailbreaking certainly proves this.

They also write that they have yet to find a mobile application that they could not defeat when given physical access, including defeating the mobile device management software.  The book astutely notes that if your mobile risk model assumes that information can be securely stored indefinitely on a physical mobile device, then you are starting with a false assumption.  The entire book is based on the assumption of an attacker gaining control of the mobile device.  To compensate for that, the book provides the requisite countermeasures.

Another bit of sagacious advice in the book is ensuring your developers, and those you outsource your development to, understand the specific risks and vulnerabilities around mobile apps.  It is crucial that all programmers developing mobile apps be sufficiently trained in how to write secure mobile apps.

Chapter 3 details iOS, the Apple mobile operating system.  An interesting part of the chapter is on how to jailbreak Apple devices.  But the authors also note that there are pros and cons to jailbreaking.  The main negative is that you expose yourself to a variety of attack vectors that could lead to a complete compromise of the device.  A non-jailbroken device obviates that in most cases given the security controls in place.

The book also sheds light on the fact that even those iOS is a closed system with less threat vectors, it is still far from perfect.  The Apple App Store, even with its security controls, is far from impervious to attack.  The chapter tells the story of a few malicious apps that slipped past security reviews and found themselves on the Apple App Store.  While these malicious apps were later removed, they will there long enough to cause damage. 

While the book provides ample evidence of the risk and vulnerabilities around mobile devices, it is rich in appropriate countermeasures and methods to compensate for these.  The chapters on iOS and Android provide myriad ways in which to secure the devices.  Chapter 8 on mobile development security details a framework in which to secure mobile devices.  This framework includes requirements from secure communications, effective authentication, preventing information leakage, to platform controls and more.

Appendix A contains a checklist of options that end-users can use to ensure the security of their private data and sensitive information stored on their mobile devices. 

Appendix B is a mobile application penetration testing toolkit for performing security assessment of mobile technologies.

The press is full of stories of how the demise of Microsoft is directly related to their misreading the mobile market.  The public has responded to buying mobile devices in the billions, and attackers who not so long ago wrote exploits for Windows, are now putting their efforts into iOS and Android.  The message is clear, mobile apps need to be written with security in mind and the mobile devices need to be secured.

For those looking for an understanding of current mobile security threats and how to counter them, Hacking Exposed Mobile Security Secrets & Solutions is a uniquely good book. 

ISBN 978-0071817011

Ben Rothke

Senior Information Security Manager, Tapad

hackers & threats mobile security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community